Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
It's actually a suggested configuration / best practice to NOT have container user IDs matching the host user IDs.
Ditch the idea of root and user in a docker container. For your containerized application use 10000:10001. You'll have only one application and one "user" in the container anyways when doing it right.
To be even more on the secure side use a different random user ID and group ID for every container.
This is really dependent on whether or not you want to interact with mounted volumes. In a production setting, containers are ephemeral and should essentially never be touched. Data is abstracted into stores like a database or object storage. If you’re interacting with mounted volumes, it’s usually through a different layer of abstraction like Kibana reading Elastic indices. In a self-hosted setting, you might be sidestepping dependency hell on a local system by containerizing. Data is often tightly coupled to the local filesystem. It is much easier to match the container user to the desired local user to avoid constant
sudo
calls.I had to check the community before responding. Since we’re talking self-hosted, your advice is largely overkill.
… basically anything. Yes. You will always find yourself in problems where the best practice isn’t the best solution for.
In your described use case an option would be having the application inside the container running with
10000:10001
but writing the data into another directory that is configured to use1000:1001
(or whatever the user is you want to access the data with from your host) and just mount the volume there. This takes a bit more configuration effort than just running the application with1000:1001
… but still :)Do I need to actually create the user in advance or can I just choose a string as I see fit?
You don't need to create the user first. Here's the simplest I can come up with:
This simply runs
/app/myscript.sh
with UID 10000 and GID 10001.Wasnt aware that you can just think of IDs from fresh air.
Thought it was to create the user and ID manually amd then be able to use it.
Yep! The names are basically just a convenient way for referencing a user or group ID.
Under normal circumstances you should let the system decide what IDs to use, but in the confined environment of a docker container you can do pretty much what you want.
If you really, really, really want to create a user and group just set the IDs manually:
Just make sure to stay at or above 10000 so you won't accidentally re-use IDs that are already defined on the host.